1. Field of the Invention
The present invention relates generally to controlling access to a server on an image processing device.
2. Description of the Related Art
A typical MFP usually comes with a native Scan and Send application. The native application can scan a document and send to a remote server through some common protocols such as FTP (File Transfer Protocol), WebDAV (Web Distributed Authoring and Versioning) and SMB (Server Message Block). But sometimes the customer wants to send the scanned document to somewhere else such as a third party's content management system or a cloud that is not covered by the native application. In this case a customized scan and send solution is needed to fulfill the business need. Comparing to the native application, the only difference for the customized solution is the sending portion and the scanning portion should be similar. To save the cost as well as to boost the operation consistency across the different applications (to decrease the learning curve of the end user), it is desirable for the customized solution to reuse the scanning portion of the native application and only handle the sending portion. One way to do it is: the customized solution implements a common protocol (e.g. FTP, WebDAV or SMB) as a server in a minimal way just to be able to get the file data transferred from a client. When a scan and send is needed, the customized solution will pass its own information as a server (such as the network address of the MFP, user name and password of the implemented server) to the native application and let the native application to do the scanning and sending. After the native application finishes sending, the customized solution will get the scanned document by its implemented server and then it can go on to send it to somewhere else and accomplish its own business. For the customized solution, as a simple server, one challenge is how to secure the server to prevent unauthorized access. Since the customized solution knows both the server and client sides, it is convenient for the application to hard code a user name and password instead of utilizing a sophisticated user management system for authentication and authorization. This simplifies the server implementation and saves cost.
But hard coded user name and password are not safe enough no matter how complicated they are. Since more than one person can know the information, the leaking can happen accidently or on purpose, especially when the person who knows it leaves the company. On the other hand, a hacker can always attack such a FTP site by brute-force search for the hard coded user name and password.
In addition, it is known that modern computing systems often employ security measures to prevent breaches of the computing system. For example, computing systems may require users to be authenticated before granting them access to one or more resources of the computing system. Authentication may include the computing system prompting the user to provide a credential in order to log in to the computing system. The authentication may be based on a username and password, a smart card and personal identification number (PIN), or other information associated with the user. Once logged in to the computing system, the user has access to one or more resources of the computing system.
However, while secure authentication mechanisms can reduce the risk of unauthorized access to protected resources, those authentication mechanisms may become barriers hindering authorized users from accessing protected resources. Users may desire the ability to change from interacting with one application to another application without regard to authentication barriers that protect each particular system supporting those applications. In order to reduce such burdens on authorized users while maintaining system security, some computing systems have implemented single sign-on mechanisms.
In systems with single sign-on capability, a user provides a credential once and gains access to multiple computing systems without providing their credential again, even though each computing system requires the user to be authenticated. For example, a user may provide a credential only once and gain access both to resources of a computing device and to resources of an application associated with the computing device even though both the computing device and the application independently require the user to be authenticated before granting the user access to resources of the respective systems.